Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
 Back  |  Find  |  Login  |  Help 
icon5.gif   Checking logging before posting, posted by Daniel Campora on Thu Apr 4 17:47:12 2013 
    icon2.gif   Re: Checking logging before posting, posted by Stefan Ritt on Fri Apr 5 10:07:57 2013 
Message ID: 67476     Entry time: Fri Apr 5 10:07:57 2013     In reply to: 67474
Icon: Reply  Author: Stefan Ritt  Author Email: stefan.ritt@psi.ch 
Category: Bug report  OS: Linux  ELOG Version: 2.9.2 
Subject: Re: Checking logging before posting 

Daniel Campora wrote:

Hi there,

 

Here's a bit of a special scenario. There's no server-side check the user is logged in upon posting, but it rather seems the server relies on the post data sent from the form.

An example of this can be triggered on a write restricted elog, by hitting on New and logging out in another tab. Then posting, from the first tab, will post as if the user was logged on. Hitting back and posting again also works.

 

Cheers

Yes the credentials are stored in the form where you enter your text. This has following reason: In a shared environment (several people sitting around a computer) we want to identify who submits an elog entry, but not bother the person to enter his/her password every few minutes. So in our experiment I set the time-out to 15 min, meaning after 15 minutes of inactivity a user gets logged out. If the user accesses ELOG every ten minutes or so, he/she stays logged in for a whole shift, which is what you want. Now the problem is that one starts an elog entry, waits twenty minutes, then wants to submit it, but you are bought back to the login screen and your entry is gone. Therefore I store the credentials (encrypted) in the form, so that the form can even be submitted after 20 minutes. Users at our lab are pretty happy with this solution.

In fact there is no way you can 100% ensure that the logged in user submits an entry without asking for his/her password during the submit. Even if the time span above is only very short, it still can happen that someone starts an entry, leaves the room, and someone else submits it. So people got used to the good practice not to leave any unfinished elog entry open when they go or leave the browser (to another tab for example). If I would implement to password request during the submit, there would be two problems: 1) Users will heavily complain and 2) I have to store the form data temporary (together with some optional attachments) on the server side, start a password query, and only if that succeeds submit the entry. This is somehow complicated to implement since I cannot use the normal elog database. Then I have to care about dangling entries (like if the password was wrong I should delete the temporary data???) and so on.

I plan for the future a kind of "draft" mode, where entries can be stored as "drafts" (like in most email systems). You get an auto-save every few minutes, and can work on the draft before actually submitting it. In that case your password query could be implemented more easily. But implementing the draft mode needs a change of the database system, so I have to find time to do that.

Best regards,

Stefan 

ELOG V3.1.5-fe60aaf